1. Field of the Invention
The present invention relates to a device and a method for communicating with another communication device connected to an external network via a network forwarding device that has an address translation function.
2. Description of the Related Art
In recent years, a network configuration using a Network Address Translation (NAT) Box is popularly used so that a larger number of devices than a finite number of global Internet Protocol (IP) addresses are able to communicate simultaneously with other devices connected to the Internet. The NAT Box is a router (i.e. a network forwarding device) that has a Network Address Translation (NAT) function and that forwards a received packet after rewriting the IP address or the port number in the received packet.
Every time a NAT Box detects a new communication started from a device under the NAT Box, the NAT Box generates and stores therein data called NAT mapping data used for mapping a translated address to a tuple of a source address and a destination address contained in a packet. The NAT Box translates addresses in the packets by referring to the NAT mapping data.
In many situations, the word “address” denotes not only an IP address but also an address used in a transport protocol such as a port number in a Transmission Control Protocol (TCP) header or in a User Datagram Protocol (UDP) header. Hereinafter, the address translation process performed by a NAT Box will be referred to as a “NAT translation”.
The NAT Box that is widely used is able to forward, after performing a NAT translation, only such types of packets in which an IP header is followed by a TCP header, a UDP header, or an Internet Control Message Protocol (ICMP) header. Thus, for example, if a device under the NAT Box tries to communicate by using packets encrypted and inserted ESP header next to IP header according to transport mode of Encapsulating Security Payload (ESP), the NAT Box is not able to perform a NAT translation and to forward the packet. To cope with this situation, a technique has been proposed by which a UDP header is inserted between the IP header and the ESP header so that the NAT Box is able to perform a NAT translation and forward the packet. (For example, A. Huttunen et al., “RFC 3948, UDP Encapsulation of IPsec ESP Packets”, [online], January 2005, retrieved from the Internet: <URL: http://www.ietf.org/rfc/rfc3948.txt> (hereinafter, “Document 1”); and T. Kivinen et al., “RFC 3947, Negotiation of NAT-Traversal in the IKE”, [on line], January 2005, retrieved from the Internet: <URL: http://www.ietf.org/rfc/rfc3947.txt> (hereinafter, “Document 2”)).
However, for example, when multiple devices under one NAT Box communicate with the same server on the Internet using the method disclosed in Document 1, there is a possibility that the application within the server is not able to judge from which one of the devices under the NAT Box, each of the packets has been received, and miscommunication of data occurs.
For example, it is assumed that multiple devices under one NAT Box use the same tuple of a source port number and a destination number in the UDP header and encapsulate a UDP datagram with an ESP header and a new UDP header so as to transmit the encapsulated UDP datagram to a server, and that the server eliminates the ESP header and the UDP header and decrypts the packet according to the method disclosed in Document 1. In this situation, the packets transmitted from the devices all have the same tuple of a source IP address, a destination IP address, a source port number, a destination port number, and a transport protocol type. Accordingly, the application within the server is not able to judge from which one of the devices under the NAT Box, each of the packets has been received.
To cope with this problem, Document 1 has proposed a technique to avoid occurrence of miscommunication of data as described above. More specifically, when the server has received an IP address and a port number of a Security Association (SA) during a key exchange process before a communication using an ESP is performed, the server checks to see if there is already an SA that has the tuple of the same IP address and the same port number. If there is such an SA, the key exchange process is canceled, and the communication with the ESP is cancelled. Thus, it is possible to avoid having miscommunication.
In addition, another technique used for avoiding miscommunication has been proposed by which a server replaces the source port number in a UDP header that has been encapsulated with an ESP, with the source port number in a UDP header provided between the IP header and the ESP header within a received packet (For example, United States Patent Application Laid-Open No. 2004/0143758, Specification).
A NAT translation is performed by a NAT Box on the source port number in the UDP header provided between the IP address and the ESP header within the packet described above. Due to a characteristic of the NAT Box, each tuple of a source IP address, a source port number, and a protocol type is always unique. As a result, the tuple of a source IP address, a destination IP address, and a protocol type in the packet received by the application is also unique. Accordingly, the application within the server is able to judge from which one of the devices under the NAT Box, each of the packets has been received.
However, with any of the methods disclosed in the documents above, a problem remains where the processing load of the server increases. More specifically, for example, according to the method disclosed in Document 1, it is necessary for the server to figure out whether there is already an SA having the same IP address and the same port number. Also, according to the method disclosed in the specification in United States Patent Application Laid-Open No. 2004/0143758, every time the server receives a packet, the server needs to replaces the source port number.